last sync: 2021-May-17 14:22:45 UTC

Azure Policy definition

Azure Key Vault Managed HSM should have purge protection enabled

Name Azure Key Vault Managed HSM should have purge protection enabled
Azure Portal
Id c39ba22d-4428-4149-b981-70acb31fc383
Version 1.0.0
details on versioning
Category Key Vault
Microsoft docs
Description Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Audit
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2021-02-17 14:28:42 add c39ba22d-4428-4149-b981-70acb31fc383
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
CIS Microsoft Azure Foundations Benchmark v1.1.0 1a5bb27d-173f-493e-9568-eb56638dde4d Regulatory Compliance GA
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA
JSON
{
  "properties": {
    "displayName": "Azure Key Vault Managed HSM should have purge protection enabled",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Malicious deletion of an Azure Key Vault Managed HSM can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge Azure Key Vault Managed HSM. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted Azure Key Vault Managed HSM. No one inside your organization or Microsoft will be able to purge your Azure Key Vault Managed HSM during the soft delete retention period.",
    "metadata": {
      "version": "1.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Effect",
          "description": "Enable or disable the execution of the policy"
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Audit"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/managedHsms"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.KeyVault/managedHsms/enableSoftDelete",
                "notEquals": "true"
              },
              {
                "field": "Microsoft.KeyVault/managedHsms/enablePurgeProtection",
                "notEquals": "true"
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/c39ba22d-4428-4149-b981-70acb31fc383",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "c39ba22d-4428-4149-b981-70acb31fc383"
}